Jump to navigation Jump to search
|EGI-CSIRT web site||EGI-CSIRT Public wiki||EGI-CSIRT Contacts||EGI-CSIRT Activities||EGI-CSIRT Private wiki|
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20150507] Title: EGI SVG Advisory 'High' RISK at least RH7 and derivatives - Linux vulnerabilities CVE-2015-1318 CVE-2015-1862 CVE-2015-3315 [EGI-ADV-20150507] Date: 2015-05-07 Updated: 2015-07-06 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/LinuxCVEs-2015-05-07 Introduction ============ 3 new vulnerabilities have been found in Linux, which may allow privilege escalation to root. CVE-2015-1318, CVE-2015-1862 CVE-2015-3315 Some versions of Linux which are used in the EGI infrastructure are vulnerable to one or more of these issues. Sites using vulnerable versions which have been fixed are recommended to patch as soon as possible. For sites using Red Hat Enterprise Linux 6 and 7 sites should disable ABRT as soon as possible. **UPDATE** Now fixed for RH7 - see [R 8] Details ======= Initial information has been sent to [R 1] and see other references. Risk category ============= The exact effect and hence the Risk associated with these vulnerabilities varies for different linux versions. This issue has been assessed as 'High' risk by the EGI CSIRT and EGI SVG Risk Assessment Team for CVE-2015-3315 in the case of RedHat 7 and it's derivatives. Affected software ================= For RedHat ---------- RH6 and RH7 and derivatives are vulnerable to CVE-2015-3315 See [R 2] **UPDATE** This has now been fixed for RedHat See [R 8] RedHat is not vulnerable to CVE-2015-1318, CVE-2015-1862 [R 7] For Debian ----------- So far not reported to be vulnerable, see [R 3], [R 4], [R 5] For Ubuntu ---------- CVE-2015-1318 is an issue For Ubuntu 14 - Fixed [R 6] CVE-2015-1862 Does not apply CVE-2015-3315 Does not apply. Mitigation ========== Sites should disable ABRT if they are affected and cannot patch - see , this should be carried out urgently in the case of RH7. **UPDATE** A patch is now available for RH7. Component installation information ================================== See software providers' information Recommendations =============== Sites running vulnerable versions are recommended to update relevant components or take mitigating action as soon as possible. Credit ====== SVG was first alerted to these vulnerabilities by Mischa Salle at Nikhef. See references for original discoverer. References ========== [R 1] http://seclists.org/fulldisclosure/2015/Apr/34 [R 2] https://access.redhat.com/articles/1415483 [R 3] https://security-tracker.debian.org/tracker/CVE-2015-1318 [R 4] https://security-tracker.debian.org/tracker/CVE-2015-1862 [R 5] https://security-tracker.debian.org/tracker/CVE-2015-3315 [R 6] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1318.html [R 7] https://bugzilla.redhat.com/show_bug.cgi?id=1211835#c12 [R 8] https://rhn.redhat.com/errata/RHSA-2015-1083.html Common Vulnerabilities and Exposures ==================================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1318 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3315 NVD === https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1318 (Others are not there yet.) Timeline ======== Yyyy-mm-dd 2015-04-15 SVG alerted to Vulnerabilities by Mischa Salle 2015-04--- On-going checking and assessment by the EGI Software Vulnerability Group. 2015-04-30 Updated packages available in most cases 2015-05-07 Alert sent to sites 2015-07-06 Updated as fixed for RH7.